From 5f504f14a9085d97b6d76d7bcb4d6a86b522801e Mon Sep 17 00:00:00 2001
From: Quentin Young <qlyoung@cumulusnetworks.com>
Date: Tue, 17 Apr 2018 16:55:59 -0400
Subject: [PATCH] pbrd: remove unsafe string copy

A user could overflow the pbr_ifp->mapname buffer by entering a pbr-map
name longer than 100 characters.

Coverity #1467821
Coverity #1467821

Signed-off-by: Quentin Young <qlyoung@cumulusnetworks.com>
---
 pbrd/pbr_vty.c | 25 +++++++++----------------
 1 file changed, 9 insertions(+), 16 deletions(-)

diff --git a/pbrd/pbr_vty.c b/pbrd/pbr_vty.c
index 87ec3804a5..f598b2645c 100644
--- a/pbrd/pbr_vty.c
+++ b/pbrd/pbr_vty.c
@@ -322,27 +322,20 @@ DEFPY (pbr_policy,
 
 	if (no) {
 		if (strcmp(pbr_ifp->mapname, mapname) == 0) {
-			strcpy(pbr_ifp->mapname, "");
-
+			pbr_ifp->mapname[0] = '\0';
 			if (pbrm)
 				pbr_map_interface_delete(pbrm, ifp);
 		}
 	} else {
-		if (strcmp(pbr_ifp->mapname, "") == 0) {
-			strcpy(pbr_ifp->mapname, mapname);
-
-			if (pbrm)
-				pbr_map_add_interface(pbrm, ifp);
-		} else {
-			if (!(strcmp(pbr_ifp->mapname, mapname) == 0)) {
-				old_pbrm = pbrm_find(pbr_ifp->mapname);
-				if (old_pbrm)
-					pbr_map_interface_delete(old_pbrm, ifp);
-				strcpy(pbr_ifp->mapname, mapname);
-				if (pbrm)
-					pbr_map_add_interface(pbrm, ifp);
-			}
+		if (strcmp(pbr_ifp->mapname, "") != 0) {
+			old_pbrm = pbrm_find(pbr_ifp->mapname);
+			if (old_pbrm)
+				pbr_map_interface_delete(old_pbrm, ifp);
 		}
+		snprintf(pbr_ifp->mapname, sizeof(pbr_ifp->mapname),
+			 "%s", mapname);
+		if (pbrm)
+			pbr_map_add_interface(pbrm, ifp);
 	}
 
 	return CMD_SUCCESS;